├── .github ├── ISSUE_TEMPLATE │ └── request.md ├── dependabot.yaml ├── funding.yaml ├── pull_request_template.md └── workflows │ ├── ci.yaml │ └── housekeeping.yaml ├── .gitignore ├── .lycheeignore ├── .markdownlint.yaml ├── .spellcheck.yaml ├── .wordlist.txt ├── 404.html ├── Gemfile ├── README.md ├── _config.yml ├── _data ├── docs-1.yaml └── docs-2.yaml ├── _includes ├── banner.html ├── breadcrumb.html └── navigation.html ├── _layouts └── redirected.html ├── assets ├── images │ ├── cupcake-256x256.png │ └── itx-logo.png └── schemas │ ├── owasp.threat-dragon.schema.V1.json │ ├── owasp.threat-dragon.schema.V2.json │ └── threat.model.format.schema.json ├── code_of_conduct.md ├── contributing.md ├── docs-1 ├── about.md ├── api.md ├── cli.md ├── contributing.md ├── credits.md ├── downloads.md ├── getting-started.md ├── info.md ├── install │ ├── info.md │ ├── install-desktop.md │ ├── install-webapp.md │ ├── install.md │ └── setup-env.md ├── introduction.md ├── threat-generation.md ├── threat-model-diagrams.md └── toc.md ├── docs-2 ├── about.md ├── credits.md ├── development │ ├── api.md │ ├── contributing.md │ ├── environment.md │ ├── info.md │ ├── internationalization.md │ ├── local-development.md │ ├── schema.md │ └── testing │ │ ├── actions.md │ │ ├── adhoc.md │ │ ├── e2e.md │ │ ├── info.md │ │ └── unit.md ├── info.md ├── introduction.md ├── toc.md ├── trust │ ├── container.md │ ├── dast.md │ ├── dependencies.md │ ├── incidents.md │ ├── info.md │ └── sast.md └── usage │ ├── config │ ├── bitbucket.md │ ├── environment.md │ ├── github.md │ ├── gitlab.md │ ├── google.md │ ├── info.md │ └── local.md │ ├── info.md │ ├── install │ ├── desktop.md │ ├── docker.md │ ├── info.md │ ├── installation.md │ └── web.md │ └── modeling │ ├── diagrams.md │ ├── getting-started.md │ ├── info.md │ ├── threat-categories.md │ └── threats.md ├── index.md ├── info.md ├── leaders.md ├── license.txt ├── security.md ├── tab_faqs.md ├── tab_releases.md ├── tab_roadmap.md └── tab_tmf.md /.github/ISSUE_TEMPLATE/request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Change request 3 | about: Suggest a change for this project 4 | title: '' 5 | labels: 'enhancement' 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Describe what change you would like**: 11 | 12 | 13 | **Context**: 14 | 15 | -------------------------------------------------------------------------------- /.github/dependabot.yaml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "github-actions" 4 | directory: ".github/workflows" 5 | schedule: 6 | interval: "monthly" 7 | ignore: 8 | # ignore all (non-security) patch updates 9 | - dependency-name: "*" 10 | update-types: ["version-update:semver-patch"] 11 | groups: 12 | update-version: 13 | applies-to: version-updates 14 | patterns: 15 | - "*" 16 | update-types: 17 | - "minor" 18 | update-security: 19 | applies-to: security-updates 20 | patterns: 21 | - "*" 22 | update-types: 23 | - "patch" 24 | - "minor" 25 | -------------------------------------------------------------------------------- /.github/funding.yaml: -------------------------------------------------------------------------------- 1 | custom: https://owasp.org/donate/?reponame=www-project-threat-dragon&title=OWASP+Threat+Dragon 2 | github: OWASP 3 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | **Summary**: 2 | 6 | 7 | **Description for the changelog**: 8 | 11 | 12 | **Other info**: 13 | 17 | 18 | Thanks for submitting a pull request! 19 | Please make sure you follow our code_of_conduct.md and our contributing guidelines contributing.md 20 | -------------------------------------------------------------------------------- /.github/workflows/ci.yaml: -------------------------------------------------------------------------------- 1 | name: CI pipeline 2 | on: 3 | push: 4 | branches: 5 | - main 6 | pull_request: 7 | branches: 8 | - main 9 | workflow_dispatch: 10 | 11 | # for security reasons the github actions are pinned to specific release versions 12 | jobs: 13 | link_checker: 14 | name: Link checker 15 | runs-on: ubuntu-24.04 16 | 17 | steps: 18 | - name: Checkout markdown 19 | uses: actions/checkout@v4.2.0 20 | 21 | - name: Link Checker 22 | uses: lycheeverse/lychee-action@v2.4.0 23 | with: 24 | # skip the jekyll files 25 | args: --verbose --no-progress --max-retries 1 --exclude-path './_includes/*.html' '**/*.md' '*.md' 26 | fail: true 27 | env: 28 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 29 | 30 | md_linter: 31 | name: Lint markdown 32 | runs-on: ubuntu-24.04 33 | steps: 34 | - name: Checkout markdown 35 | uses: actions/checkout@v4.2.0 36 | 37 | - name: Lint markdown 38 | uses: DavidAnson/markdownlint-cli2-action@v19.1.0 39 | with: 40 | config: '.markdownlint.yaml' 41 | globs: '**/*.md' 42 | 43 | spell_checker: 44 | name: Check spelling 45 | runs-on: ubuntu-24.04 46 | steps: 47 | - name: Checkout markdown 48 | uses: actions/checkout@v4.2.0 49 | 50 | - name: spell_checker 51 | uses: rojopolis/spellcheck-github-actions@0.49.0 52 | -------------------------------------------------------------------------------- /.github/workflows/housekeeping.yaml: -------------------------------------------------------------------------------- 1 | name: Housekeeping 2 | on: 3 | # Run daily at 7:00 4 | schedule: 5 | - cron: '0 7 * * *' 6 | workflow_dispatch: 7 | 8 | # for security reasons the github actions are pinned to specific release versions 9 | jobs: 10 | workflow_cleaner: 11 | name: Tidy workflows 12 | runs-on: ubuntu-24.04 13 | permissions: 14 | actions: write 15 | 16 | steps: 17 | - name: Delete stale workflow runs 18 | uses: Mattraks/delete-workflow-runs@v2.0.6 19 | with: 20 | token: ${{ github.token }} 21 | repository: ${{ github.repository }} 22 | retain_days: 28 23 | keep_minimum_runs: 10 24 | 25 | - name: Delete unused workflows 26 | uses: otto-de/purge-deprecated-workflow-runs@v3.0.1 27 | with: 28 | token: ${{ github.token }} 29 | 30 | link_checker: 31 | name: Link checker 32 | runs-on: ubuntu-24.04 33 | 34 | steps: 35 | - name: Checkout markdown 36 | uses: actions/checkout@v4.2.0 37 | 38 | - name: Link Checker 39 | uses: lycheeverse/lychee-action@v2.4.0 40 | with: 41 | # skip the jekyll files 42 | args: --verbose --no-progress --max-retries 1 --exclude-path './_includes/*.html' '**/*.md' '*.md' 43 | fail: true 44 | env: 45 | GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} 46 | 47 | stale: 48 | name: Tidy pull requests 49 | runs-on: ubuntu-24.04 50 | permissions: 51 | pull-requests: write 52 | issues: write 53 | 54 | steps: 55 | - name: Tidy stale PRs and issues 56 | uses: actions/stale@v9 57 | with: 58 | days-before-issue-stale: 183 59 | days-before-issue-close: -1 60 | stale-issue-message: 'This issue is stale because it has been open for 6 months with no activity.' 61 | stale-issue-label: stale 62 | remove-issue-stale-when-updated: true 63 | days-before-pr-stale: 42 64 | days-before-pr-close: 7 65 | stale-pr-message: 'This PR is stale because it has been open 42 days with no activity. Remove stale label, or add a comment, otherwise it will be closed in 7 days.' 66 | close-pr-message: 'This PR was closed because it has been stalled for 8 weeks with no activity.' 67 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # uses allow-list, so ignore everything not explicitly allowed 2 | * 3 | 4 | # allow github, workflows and templates 5 | !.github/ 6 | !.github/*.yaml 7 | !.github/issue_template/ 8 | !.github/issue_template/*.md 9 | !.github/workflows/ 10 | !.github/workflows/*.yaml 11 | !.gitignore 12 | !.lycheeignore 13 | !.markdownlint.yaml 14 | !.spellcheck.yaml 15 | !.wordlist.txt 16 | 17 | # allow markdown and the assets 18 | !*.md 19 | !license.txt 20 | !assets/ 21 | !assets/images/ 22 | !assets/images/*.png 23 | !assets/schemas/ 24 | !assets/schemas/*.json 25 | 26 | # allow jekyll build files 27 | !404.html 28 | !Gemfile 29 | !_config.yml 30 | 31 | # allow docs files 32 | !_data 33 | !_data/*.yaml 34 | !_layouts 35 | !_layouts/*.html 36 | !_includes 37 | !_includes/*.html 38 | !docs-1/ 39 | !docs-1/install/ 40 | !docs-1/**/*.md 41 | !docs-2/ 42 | !docs-2/development/ 43 | !docs-2/development/testing/ 44 | !docs-2/trust/ 45 | !docs-2/usage/ 46 | !docs-2/usage/config/ 47 | !docs-2/usage/install/ 48 | !docs-2/usage/modeling/ 49 | !docs-2/**/*.md 50 | 51 | -------------------------------------------------------------------------------- /.lycheeignore: -------------------------------------------------------------------------------- 1 | # ignore these false positives from the link checker housekeeper 2 | 3 | # added by OWASP jekyl page builder, so no control over them: 4 | https://groups.google.com/a/owasp.com/ 5 | 6 | # links referred to in documentation, not intended as actual links 7 | http://localhost 8 | http://127.0.0.1 9 | 10 | # incorrectly get 'Network error: Forbidden' 11 | https://www.deviantart.com 12 | 13 | # Too many redirects: error following redirect for docker tags 14 | https://hub.docker.com/repository/docker/threatdragon/owasp-threat-dragon/tags 15 | -------------------------------------------------------------------------------- /.markdownlint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | no-trailing-punctuation: false 3 | no-inline-html: false 4 | first-line-heading: false 5 | link-fragments: false 6 | 7 | # MD013 - Line length 8 | MD013: 9 | code_block_line_length: 125 10 | code_blocks: true 11 | heading_line_length: 80 12 | headings: true 13 | line_length: 125 14 | stern: true 15 | strict: false 16 | tables: false 17 | 18 | -------------------------------------------------------------------------------- /.spellcheck.yaml: -------------------------------------------------------------------------------- 1 | matrix: 2 | - name: Markdown 3 | aspell: 4 | lang: en 5 | dictionary: 6 | wordlists: 7 | - .wordlist.txt 8 | output: wordlist.dic 9 | encoding: utf-8 10 | pipeline: 11 | - pyspelling.filters.markdown: 12 | - pyspelling.filters.html: 13 | comments: false 14 | ignores: 15 | - code 16 | - pre 17 | sources: 18 | - '**/*.md' 19 | default_encoding: utf-8 20 | 21 | -------------------------------------------------------------------------------- /.wordlist.txt: -------------------------------------------------------------------------------- 1 | AIX 2 | APIs 3 | AdHoc 4 | AntV 5 | AppImage 6 | Atlassian 7 | Bahasa 8 | BaseURL 9 | BitBucket 10 | Bitbucket 11 | Bohy 12 | BrowserStack 13 | CLI 14 | CN 15 | CVE 16 | CVEs 17 | CVSS 18 | CentOS 19 | CodeQL 20 | DAST 21 | Dependabot 22 | Detectability 23 | Deutsch 24 | DoS 25 | DockerHub 26 | DotEnv 27 | Dotenv 28 | ENV 29 | ESLint 30 | El 31 | FI 32 | FQDN 33 | Faqs 34 | Gamification 35 | GitLab 36 | ITMJ 37 | Identifiability 38 | Installable 39 | JSON 40 | JWT 41 | JWTs 42 | Jira 43 | JointJS 44 | LINDDUN 45 | LTS 46 | Libre 47 | Linkability 48 | MacOS 49 | MochaJS 50 | Moneypenny 51 | NSIS 52 | OAuth 53 | OSX 54 | OTM 55 | OWASP 56 | OneDrive 57 | OpenDocument 58 | PLOT4ai 59 | PNG 60 | PRs 61 | PWD 62 | Pythonic 63 | Quickstart 64 | Roadmap 65 | SAST 66 | SCA 67 | SVG 68 | SY 69 | SeaSponge 70 | Sinon 71 | Styran 72 | Suomi 73 | TBD 74 | TD's 75 | TLS 76 | TMF 77 | TMT 78 | TSV 79 | Threagile 80 | ThreatDragonModels 81 | Trisqel 82 | Trivy 83 | UI 84 | URI 85 | URL 86 | URLEncoded 87 | Utils 88 | Validator 89 | Vue 90 | WDIO 91 | adhoc 92 | ai 93 | ajv 94 | amd 95 | antv 96 | api 97 | ara 98 | auth 99 | backend 100 | bitbucket 101 | boolean 102 | browserstack 103 | bunyan 104 | chai 105 | ci 106 | cli 107 | config 108 | configs 109 | cron 110 | dast 111 | dataflow 112 | debian 113 | decrypting 114 | deu 115 | dev 116 | diagramJson 117 | diagramType 118 | displaytext 119 | dmg 120 | dockerfile 121 | dockerhub 122 | dotenv 123 | dotenv 124 | drawio 125 | dropdown 126 | eg 127 | eng 128 | env 129 | español 130 | exe 131 | filesystem 132 | fra 133 | français 134 | frontend 135 | github 136 | githubusercontent 137 | gitlab 138 | gridlines 139 | hin 140 | hoc 141 | hostname 142 | html 143 | http 144 | https 145 | ind 146 | ini 147 | installable 148 | io 149 | javascript 150 | jpg 151 | jpn 152 | js 153 | json 154 | jwt 155 | kubernetes 156 | lifecycle 157 | linux 158 | localhost 159 | misconfigurations 160 | misconfigurations 161 | mitigations 162 | mr 163 | node.js 164 | npm 165 | nvm 166 | openssl 167 | orchestrator 168 | owasp 169 | pdf 170 | permalink 171 | pipleines 172 | pnpm 173 | por 174 | português 175 | postfix 176 | pythonic 177 | pytm 178 | remediations 179 | renderer 180 | repo 181 | repos 182 | roadmap 183 | sast 184 | sexualized 185 | snapcraft 186 | socio 187 | sudo 188 | tdVersion 189 | threatdragon 190 | transpiled 191 | trivy 192 | unpatched 193 | unselected 194 | uptime 195 | url 196 | vue 197 | webapp 198 | webpack 199 | www 200 | yargs 201 | zho 202 | -------------------------------------------------------------------------------- /404.html: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: 404 - Not Found 4 | layout: col-generic 5 | 6 | --- 7 | 8 |
9 |

10 |

WHOA THAT PAGE CANNOT BE FOUND

11 |

Try the SEARCH function in the main navigation to find something. 12 | If you are looking for chapter information, please see Chapters for the correct chapter. 13 | For information about OWASP projects see Projects. 14 | For common attacks, vulnerabilities, or information about other community-led contributions see Contributed Content.

15 | 16 |
17 |

If all else fails you can search our historical site.

18 |
19 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source 'https://rubygems.org' 2 | group :jekyll_plugins do 3 | gem "github-pages" 4 | end -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 |

2 | Threat Dragon Logo 4 |

5 | 6 | [![Build status](https://github.com/OWASP/www-project-threat-dragon/actions/workflows/ci.yaml/badge.svg?event=push)][build] 7 | [![GitHub license](https://img.shields.io/github/license/owasp/www-project-threat-dragon.svg)](license.txt) 8 | [![OWASP Lab](https://img.shields.io/badge/owasp-lab%20project-f7b73c.svg)](https://www.owasp.org/projects) 9 | [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/9266/badge)](https://www.bestpractices.dev/projects/9266) 10 | 11 | ## OWASP Foundation Threat Dragon Homepage 12 | 13 | This repo is the source for the OWASP Threat Dragon project [web pages](https://owasp.org/www-project-threat-dragon/) 14 | and the Threat Dragon documentation for [version 1.x][docs1] and for [version 2.x][docs2]. 15 | 16 | Create issues on this repository only for content hosted on the OWASP project site, including the documentation. 17 | For issues or suggestions related to the Threat Dragon tool itself use the 18 | [Threat Dragon](https://github.com/OWASP/threat-dragon) repository. 19 | 20 | You can contact the Threat Dragon community via the OWASP Slack 21 | [#project-threat-dragon](https://owasp.slack.com/messages/CURE8PQ68) project channel, 22 | and you may need to [subscribe](https://owasp.org/slack/invite) first. 23 | 24 | ### Project leaders 25 | 26 | * [Mike Goodwin](mailto:mike.goodwin@owasp.org) 27 | * [Jon Gadsden](mailto:jon.gadsden@owasp.org) 28 | * [Leo Reading](mailto:leo.reading@owasp.org) 29 | 30 | ---- 31 | 32 | Threat Dragon: _making threat modeling less threatening_ 33 | 34 | [build]: https://github.com/OWASP/www-project-threat-dragon/actions/workflows/ci.yaml 35 | [docs1]: https://threatdragon.github.io/ 36 | [docs2]: https://www.threatdragon.com/docs/ 37 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | remote_theme: "owasp/www--site-theme@main" 2 | plugins: 3 | - jekyll-include-cache-0.2.0 -------------------------------------------------------------------------------- /_data/docs-1.yaml: -------------------------------------------------------------------------------- 1 | docs_list_title: Threat Dragon v1.6.1 2 | docs: 3 | 4 | - title: 'Introduction' 5 | url: introduction 6 | 7 | - title: 'About' 8 | url: about 9 | 10 | - title: 'Install' 11 | url: install 12 | 13 | - title: 'Install: web app' 14 | url: install-webapp 15 | 16 | - title: 'Install: environment' 17 | url: setup 18 | 19 | - title: 'Install: desktop' 20 | url: install-desktop 21 | 22 | - title: 'Getting started' 23 | url: getting-started 24 | 25 | - title: 'Threat model diagrams' 26 | url: diagrams 27 | 28 | - title: 'Threat generation' 29 | url: threat-generation 30 | 31 | - title: 'API' 32 | url: api 33 | 34 | - title: 'CLI' 35 | url: cli 36 | 37 | - title: 'Downloads' 38 | url: downloads 39 | 40 | - title: 'Contributing' 41 | url: contributing 42 | 43 | - title: 'Credits' 44 | url: credits 45 | -------------------------------------------------------------------------------- /_data/docs-2.yaml: -------------------------------------------------------------------------------- 1 | docs_list_title: Threat Dragon v2.4 2 | docs: 3 | 4 | - title: 'Introduction' 5 | url: introduction 6 | -------------------------------------------------------------------------------- /_includes/banner.html: -------------------------------------------------------------------------------- 1 |
2 | {% if page.url contains "/docs-1/" %} 3 |
4 | You're viewing documentation for Threat Dragon version 1.6.1 5 |
6 | {% endif %} 7 | 8 | {% if page.url contains "/docs-2/" %} 9 |
10 | You're viewing documentation for Threat Dragon version 2.0 11 |
12 | {% endif %} 13 |
14 | -------------------------------------------------------------------------------- /_includes/breadcrumb.html: -------------------------------------------------------------------------------- 1 |
2 | Home 3 | {%- capture page_url_without_index_html -%}{{ page.url | remove: "/index.html" }}{%- endcapture -%} 4 | {%- assign split_url_parts = page_url_without_index_html | split: '/' -%} 5 | {%- capture forLoopMaxInt -%}{{ split_url_parts.size | minus:1 }}{%- endcapture -%} 6 | {%- for i in (1..forLoopMaxInt) -%} 7 | {%- capture current_breadcrumb_url -%}{{next_prepender}}/{{ split_url_parts[i] }}/index.html{%- endcapture -%} 8 | {%- capture current_breadcrumb_md_url -%}{{next_prepender}}/{{ split_url_parts[i] }}/{%- endcapture -%} 9 | {%- capture next_prepender -%}{{next_prepender}}/{{ split_url_parts[i] }}{%- endcapture -%} 10 | {%- for breadcrumb_page in site.pages -%} 11 | {%- if current_breadcrumb_url == breadcrumb_page.url or current_breadcrumb_md_url == breadcrumb_page.url -%} 12 | {%- capture breadcrumb_page_page_url_without_index_html -%}{{ breadcrumb_page.url | remove: "index.html" }}{%- endcapture -%} 13 |  >  14 | {%- if i == 1 -%} 15 | {{split_url_parts[i] | capitalize }} 16 | {%- else -%} 17 | {{split_url_parts[i] | replace: "_", " "}} 18 | {%- endif -%} 19 | 20 | {%- endif -%} 21 | {%- endfor -%} 22 | {%- endfor -%} 23 |
24 | -------------------------------------------------------------------------------- /_includes/navigation.html: -------------------------------------------------------------------------------- 1 | {% assign nav = site.data[include.collection] %} 2 | 3 |

{{ nav.docs_list_title }}

4 | -------------------------------------------------------------------------------- /_layouts/redirected.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 |

Threat Dragon documentation has moved

10 |

The documentation has been migrated to the OWASP demo site 11 | which provides the latest Threat Dragon version 2.x documentation.

12 |

Redirecting...

13 | Click here if you are not redirected. 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /assets/images/cupcake-256x256.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-threat-dragon/60b9438fed9f8e9d26f5260987fc8d546d4dd0d1/assets/images/cupcake-256x256.png -------------------------------------------------------------------------------- /assets/images/itx-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/OWASP/www-project-threat-dragon/60b9438fed9f8e9d26f5260987fc8d546d4dd0d1/assets/images/itx-logo.png -------------------------------------------------------------------------------- /assets/schemas/owasp.threat-dragon.schema.V1.json: -------------------------------------------------------------------------------- 1 | { 2 | "$id": "https://owasp.org/www-project-threat-dragon/assets/schemas/owasp.threat-dragon.schema.V1.json", 3 | "title": "Threat Dragon model schema", 4 | "description": "The threat models used by OWASP Threat Dragon", 5 | "type": "object", 6 | "properties": { 7 | "version": { 8 | "description": "Threat Dragon version used in the model", 9 | "type": "string", 10 | "maxLength": 5 11 | }, 12 | "summary": { 13 | "description": "Threat model project meta-data", 14 | "type": "object", 15 | "properties": { 16 | "description": { 17 | "description": "Description of the threat model used for report outputs", 18 | "type": "string" 19 | }, 20 | "id": { 21 | "description": "A unique identifier for this main threat model object", 22 | "type": "integer", 23 | "minimum": 0 24 | }, 25 | "owner": { 26 | "description": "The original creator or overall owner of the model", 27 | "type": "string" 28 | }, 29 | "title": { 30 | "description": "Threat model title", 31 | "type": "string" 32 | } 33 | }, 34 | "required": [ "title" ] 35 | }, 36 | "detail": { 37 | "description": "Threat model definition", 38 | "type": "object", 39 | "properties": { 40 | "contributors": { 41 | "description": "An array of contributors to the threat model project", 42 | "type": "array", 43 | "items": { 44 | "type": "object", 45 | "properties": { 46 | "name": { 47 | "description": "The name of the contributor", 48 | "type": "string" 49 | } 50 | } 51 | } 52 | }, 53 | "diagrams": { 54 | "description": "An array of single or multiple threat data-flow diagrams", 55 | "type": "array", 56 | "items": { 57 | "type": "object", 58 | "properties": { 59 | "diagramType": { 60 | "description": "The methodology used by the data-flow diagram", 61 | "type": "string", 62 | "minLength": 3 63 | }, 64 | "id": { 65 | "description": "The sequence number of the diagram", 66 | "type": "integer", 67 | "minimum": 0 68 | }, 69 | "size": { 70 | "description": "The size of the diagram drawing canvas", 71 | "type": "object", 72 | "properties": { 73 | "height": { 74 | "description": "The height of the diagram drawing canvas", 75 | "type": "integer", 76 | "minimum": 50 77 | }, 78 | "width": { 79 | "description": "The width of the diagram drawing canvas", 80 | "type": "integer", 81 | "minimum": 50 82 | } 83 | }, 84 | "required": [ "height", "width" ] 85 | }, 86 | "thumbnail": { 87 | "description": "The path to the thumbnail image for the diagram", 88 | "type": "string" 89 | }, 90 | "title": { 91 | "description": "The title of the data-flow diagram", 92 | "type": "string" 93 | }, 94 | "version": { 95 | "description": "Threat Dragon version used in the diagram", 96 | "type": "string", 97 | "maxLength": 5 98 | }, 99 | "diagramJson": { 100 | "description": "The data-flow diagram components", 101 | "type": "object", 102 | "properties": { 103 | "cells": { 104 | "description": "The individual diagram components", 105 | "type": "array", 106 | "items": { 107 | "type": "object", 108 | "properties": { 109 | "attrs": { 110 | "description": "The component display attributes", 111 | "type": "object", 112 | "properties": { 113 | ".element-shape": { 114 | "description": "The component shape attributes", 115 | "type": "object", 116 | "properties": { 117 | "class": { 118 | "description": "The component shape display attributes", 119 | "type": "string" 120 | } 121 | } 122 | }, 123 | "text": { 124 | "description": "The component text", 125 | "type": "object", 126 | "properties": { 127 | "text": { 128 | "description": "The component text contents", 129 | "type": "string" 130 | } 131 | }, 132 | "required": [ "text" ] 133 | }, 134 | ".element-text": { 135 | "description": "The component text attributes", 136 | "type": "object", 137 | "properties": { 138 | "class": { 139 | "description": "The component text display attributes", 140 | "type": "string" 141 | } 142 | } 143 | } 144 | } 145 | }, 146 | "angle": { 147 | "description": "The component rotation angle", 148 | "type": "integer" 149 | }, 150 | "description": { 151 | "description": "The component description", 152 | "type": "string" 153 | }, 154 | "handlesCardPayment": { 155 | "description": "The component flag set if the process handles credit card payment", 156 | "type": "boolean" 157 | }, 158 | "handlesGoodsOrServices": { 159 | "description": "The component flag set if the process is part of a retail site", 160 | "type": "boolean" 161 | }, 162 | "hasOpenThreats": { 163 | "description": "The component flag set if there are open threats", 164 | "type": "boolean" 165 | }, 166 | "id": { 167 | "description": "The component unique identifier (UUID)", 168 | "type": "string", 169 | "minLength": 36 170 | }, 171 | "isALog": { 172 | "description": "The component flag set if the store contains logs", 173 | "type": "boolean" 174 | }, 175 | "isWebApplication": { 176 | "description": "The component flag set if the process is a web application", 177 | "type": "boolean" 178 | }, 179 | "isEncrypted": { 180 | "description": "The component flag set if the data flow or store is encrypted", 181 | "type": "boolean" 182 | }, 183 | "isSigned": { 184 | "description": "The component flag set if the data store uses signatures", 185 | "type": "boolean" 186 | }, 187 | "isTrustBoundary": { 188 | "description": "The flag set if the component is a trust boundary curve or trust boundary box", 189 | "type": "boolean" 190 | }, 191 | "labels": { 192 | "description": "The floating labels used for boundary or data-flow", 193 | "type": "array", 194 | "items": { 195 | "type": "object", 196 | "properties": { 197 | "position": { 198 | "description": "The label position", 199 | "type": "number" 200 | }, 201 | "attrs": { 202 | "description": "The label text attributes", 203 | "type": "object", 204 | "properties": { 205 | "text": { 206 | "description": "The text attributes", 207 | "type": "object", 208 | "properties": { 209 | "font-size": { 210 | "description": "The text size", 211 | "type": "string" 212 | }, 213 | "font-weight": { 214 | "description": "The text weight", 215 | "type": "string" 216 | }, 217 | "text": { 218 | "description": "The text content", 219 | "type": "string" 220 | } 221 | }, 222 | "required": ["font-size", "font-weight", "text"] 223 | } 224 | }, 225 | "required": ["text"] 226 | } 227 | }, 228 | "required": [ "attrs", "position" ] 229 | } 230 | }, 231 | "outOfScope": { 232 | "description": "The component flag set if it is not in scope", 233 | "type": "boolean" 234 | }, 235 | "position": { 236 | "description": "The component position", 237 | "type": "object", 238 | "properties": { 239 | "x": { 240 | "description": "The component horizontal position", 241 | "type": "number" 242 | }, 243 | "y": { 244 | "description": "The component vertical position", 245 | "type": "number" 246 | } 247 | }, 248 | "required": [ "x", "y" ] 249 | }, 250 | "privilegeLevel": { 251 | "description": "The component's level of privilege/permissions", 252 | "type": "string" 253 | }, 254 | "reasonOutOfScope": { 255 | "description": "The component description if out of scope", 256 | "type": "string" 257 | }, 258 | "size": { 259 | "description": "The component size", 260 | "type": "object", 261 | "properties": { 262 | "height": { 263 | "description": "The component height", 264 | "type": "number", 265 | "minimum": 10 266 | }, 267 | "width": { 268 | "description": "The component width", 269 | "type": "number", 270 | "minimum": 10 271 | } 272 | }, 273 | "required": [ "height", "width" ] 274 | }, 275 | "smooth": { 276 | "description": "The component curve type, for data flows and boundaries", 277 | "type": "boolean" 278 | }, 279 | "source": { 280 | "description": "The component curve source", 281 | "type": "object", 282 | "properties": { 283 | "id": { 284 | "description": "The data-flow source component", 285 | "type": "string" 286 | }, 287 | "x": { 288 | "description": "The boundary horizontal curve source", 289 | "type": "integer" 290 | }, 291 | "y": { 292 | "description": "The boundary vertical curve source", 293 | "type": "integer" 294 | } 295 | } 296 | }, 297 | "storesCredentials": { 298 | "description": "The component flag set if store contains credentials/PII", 299 | "type": "boolean" 300 | }, 301 | "storesInventory": { 302 | "description": "The component flag set if store is part of a retail web application", 303 | "type": "boolean" 304 | }, 305 | "target": { 306 | "description": "The component curve target", 307 | "type": "object", 308 | "properties": { 309 | "id": { 310 | "description": "The data-flow target component", 311 | "type": "string" 312 | }, 313 | "x": { 314 | "description": "The boundary horizontal curve target", 315 | "type": "integer" 316 | }, 317 | "y": { 318 | "description": "The boundary vertical curve target", 319 | "type": "integer" 320 | } 321 | } 322 | }, 323 | "threats": { 324 | "description": "The threats associated with the component", 325 | "type": "array", 326 | "items": { 327 | "type": "object", 328 | "properties": { 329 | "description": { 330 | "description": "The threat description", 331 | "type": "string" 332 | }, 333 | "mitigation": { 334 | "description": "The threat mitigation", 335 | "type": "string" 336 | }, 337 | "modelType": { 338 | "description": "The threat methodology type", 339 | "type": "string" 340 | }, 341 | "number": { 342 | "description": "The unique number for the threat", 343 | "type": "integer", 344 | "minimum": 0 345 | }, 346 | "score": { 347 | "description": "The custom score/risk for the threat", 348 | "type": "string" 349 | }, 350 | "severity": { 351 | "description": "The threat severity as High, Medium or Low", 352 | "type": "string" 353 | }, 354 | "status": { 355 | "description": "The threat status as NA, Open or Mitigated", 356 | "type": "string" 357 | }, 358 | "threatId": { 359 | "description": "The threat ID as a UUID", 360 | "type": "string", 361 | "minLength": 36 362 | }, 363 | "title": { 364 | "description": "The threat title", 365 | "type": "string" 366 | }, 367 | "type": { 368 | "description": "The threat type, selection according to modelType", 369 | "type": "string" 370 | } 371 | }, 372 | "required": [ "description", "mitigation", "severity", "status", "title", "type" ] 373 | } 374 | }, 375 | "type": { 376 | "description": "The component type", 377 | "type": "string" 378 | }, 379 | "vertices": { 380 | "description": "The boundary or data-flow curve points", 381 | "type": "array", 382 | "items": { 383 | "type": "object", 384 | "properties": { 385 | "x": { 386 | "description": "The horizontal value of the curve point", 387 | "type": "integer" 388 | }, 389 | "y": { 390 | "description": "The vertical value of the curve point", 391 | "type": "integer" 392 | } 393 | }, 394 | "required": [ "x", "y" ] 395 | } 396 | }, 397 | "z": { 398 | "description": "The component Z-plane", 399 | "type": "integer" 400 | } 401 | }, 402 | "required": [ "attrs", "id", "size", "type", "z" ] 403 | } 404 | } 405 | } 406 | } 407 | }, 408 | "required": [ "diagramType", "id", "size", "thumbnail", "title", "diagramJson" ] 409 | } 410 | }, 411 | "diagramTop": { 412 | "description": "The highest diagram number in the threat model", 413 | "type": "integer", 414 | "minimum": 0 415 | }, 416 | "reviewer": { 417 | "description": "The reviewer of the overall threat model", 418 | "type": "string" 419 | }, 420 | "threatTop": { 421 | "description": "The highest threat number in the threat model", 422 | "type": "integer", 423 | "minimum": 0 424 | } 425 | }, 426 | "required": [ "contributors", "diagrams" ] 427 | } 428 | }, 429 | "required": [ "summary", "detail" ] 430 | } 431 | -------------------------------------------------------------------------------- /assets/schemas/owasp.threat-dragon.schema.V2.json: -------------------------------------------------------------------------------- 1 | { 2 | "$id": "https://owasp.org/www-project-threat-dragon/assets/schemas/owasp.threat-dragon.schema.V2.json", 3 | "title": "Threat Dragon model schema", 4 | "description": "The threat models used by OWASP Threat Dragon", 5 | "type": "object", 6 | "properties": { 7 | "version": { 8 | "description": "Threat Dragon version used in the model", 9 | "type": "string", 10 | "maxLength": 10 11 | }, 12 | "summary": { 13 | "description": "Threat model project meta-data", 14 | "type": "object", 15 | "properties": { 16 | "description": { 17 | "description": "Description of the threat model used for report outputs", 18 | "type": "string" 19 | }, 20 | "id": { 21 | "description": "A unique identifier for this main threat model object", 22 | "type": "integer", 23 | "minimum": 0 24 | }, 25 | "owner": { 26 | "description": "The original creator or overall owner of the model", 27 | "type": "string" 28 | }, 29 | "title": { 30 | "description": "Threat model title", 31 | "type": "string" 32 | } 33 | }, 34 | "required": [ "title" ] 35 | }, 36 | "detail": { 37 | "description": "Threat model definition", 38 | "type": "object", 39 | "properties": { 40 | "contributors": { 41 | "description": "An array of contributors to the threat model project", 42 | "type": "array", 43 | "items": { 44 | "type": "object", 45 | "properties": { 46 | "name": { 47 | "description": "The name of the contributor", 48 | "type": "string" 49 | } 50 | } 51 | } 52 | }, 53 | "diagrams": { 54 | "description": "An array of single or multiple threat data-flow diagrams", 55 | "type": "array", 56 | "items": { 57 | "type": "object", 58 | "properties": { 59 | "description": { 60 | "description": "The description of the diagram", 61 | "type": "string" 62 | }, 63 | "diagramType": { 64 | "description": "The methodology used by the data-flow diagram", 65 | "type": "string", 66 | "minLength": 3 67 | }, 68 | "id": { 69 | "description": "The sequence number of the diagram", 70 | "type": "integer", 71 | "minimum": 0 72 | }, 73 | "placeholder": { 74 | "description": "The text used when the description is empty", 75 | "type": "string" 76 | }, 77 | "thumbnail": { 78 | "description": "The path to the thumbnail image for the diagram", 79 | "type": "string" 80 | }, 81 | "title": { 82 | "description": "The title of the data-flow diagram", 83 | "type": "string" 84 | }, 85 | "version": { 86 | "description": "Threat Dragon version used in the diagram", 87 | "type": "string", 88 | "maxLength": 10 89 | }, 90 | "cells": { 91 | "description": "The individual diagram components", 92 | "type": "array", 93 | "items": { 94 | "type": "object", 95 | "properties": { 96 | "attrs": { 97 | "description": "The component display attributes", 98 | "type": "object", 99 | "properties": { 100 | "body": { 101 | "description": "The component stroke attributes", 102 | "type": "object", 103 | "properties": { 104 | "stroke": { 105 | "description": "The stroke color", 106 | "type": "string" 107 | }, 108 | "strokeWidth": { 109 | "description": "The stroke width", 110 | "type": "number" 111 | }, 112 | "strokeDasharray": { 113 | "description": "The stroke dash ratio", 114 | "type": "string", 115 | "nullable": true 116 | } 117 | }, 118 | "required": [ "stroke", "strokeWidth", "strokeDasharray" ] 119 | }, 120 | "line": { 121 | "description": "The component stroke attributes", 122 | "type": "object", 123 | "properties": { 124 | "stroke": { 125 | "description": "The stroke color", 126 | "type": "string" 127 | }, 128 | "strokeWidth": { 129 | "description": "The stroke width", 130 | "type": "number" 131 | }, 132 | "sourceMarker": { 133 | "description": "The line source marker", 134 | "type": [ "object", "string" ], 135 | "properties": { 136 | "name": { 137 | "description": "The source marker shape", 138 | "type": "string" 139 | } 140 | }, 141 | "required": [ "name" ] 142 | }, 143 | "strokeDasharray": { 144 | "description": "The stroke dash ratio", 145 | "type": "string", 146 | "nullable": true 147 | }, 148 | "targetMarker": { 149 | "description": "The line target marker", 150 | "type": [ "object", "string" ], 151 | "properties": { 152 | "name": { 153 | "description": "The target marker shape", 154 | "type": "string" 155 | } 156 | }, 157 | "required": [ "name" ] 158 | } 159 | }, 160 | "required": [ "targetMarker" ] 161 | } 162 | } 163 | }, 164 | "data": { 165 | "description": "The component parameters", 166 | "type": "object", 167 | "properties": { 168 | "description": { 169 | "description": "The component description", 170 | "type": "string" 171 | }, 172 | "handlesCardPayment": { 173 | "description": "The component flag set if the process handles credit card payment", 174 | "type": "boolean" 175 | }, 176 | "handlesGoodsOrServices": { 177 | "description": "The component flag set if the process is part of a retail site", 178 | "type": "boolean" 179 | }, 180 | "isALog": { 181 | "description": "The component flag set if the store contains logs", 182 | "type": "boolean" 183 | }, 184 | "isBidirectional": { 185 | "description": "The component flag set if it is not in scope", 186 | "type": "boolean" 187 | }, 188 | "isEncrypted": { 189 | "description": "The data-flow flag set if is bidirectional", 190 | "type": "boolean" 191 | }, 192 | "isPublicNetwork": { 193 | "description": "The data-flow flag set if it crosses a public network", 194 | "type": "boolean" 195 | }, 196 | "isSigned": { 197 | "description": "The component flag set if the data store uses signatures", 198 | "type": "boolean" 199 | }, 200 | "isTrustBoundary": { 201 | "description": "The flag set if the component is a trust boundary curve or trust boundary box", 202 | "type": "boolean" 203 | }, 204 | "isWebApplication": { 205 | "description": "The component flag set if the process is a web application", 206 | "type": "boolean" 207 | }, 208 | "name": { 209 | "description": "The component name", 210 | "type": "string" 211 | }, 212 | "outOfScope": { 213 | "description": "The component flag set if it is not in scope", 214 | "type": "boolean" 215 | }, 216 | "privilegeLevel": { 217 | "description": "The component's level of privilege/permissions", 218 | "type": "string" 219 | }, 220 | "protocol": { 221 | "description": "The data-flow protocol", 222 | "type": "string" 223 | }, 224 | "providesAuthentication": { 225 | "description": "The component flag set if the Actor provides Authentication", 226 | "type": "boolean" 227 | }, 228 | "reasonOutOfScope": { 229 | "description": "The component description if out of scope", 230 | "type": "string" 231 | }, 232 | "storesCredentials": { 233 | "description": "The component flag set if store contains credentials/PII", 234 | "type": "boolean" 235 | }, 236 | "storesInventory": { 237 | "description": "The component flag set if store is part of a retail web application", 238 | "type": "boolean" 239 | }, 240 | "type": { 241 | "description": "The component type", 242 | "type": "string" 243 | }, 244 | "hasOpenThreats": { 245 | "description": "The component flag set if there are open threats", 246 | "type": "boolean" 247 | } 248 | }, 249 | "required": [ "hasOpenThreats", "name", "type" ] 250 | }, 251 | "id": { 252 | "description": "The component unique identifier (UUID)", 253 | "type": "string", 254 | "minLength": 36 255 | }, 256 | "position": { 257 | "description": "The component position", 258 | "type": "object", 259 | "properties": { 260 | "x": { 261 | "description": "The component horizontal position", 262 | "type": "number" 263 | }, 264 | "y": { 265 | "description": "The component vertical position", 266 | "type": "number" 267 | } 268 | }, 269 | "required": [ "x", "y" ] 270 | }, 271 | "size": { 272 | "description": "The component body size (not line)", 273 | "type": "object", 274 | "properties": { 275 | "height": { 276 | "description": "The component height", 277 | "type": "number", 278 | "minimum": 10 279 | }, 280 | "width": { 281 | "description": "The component width", 282 | "type": "number", 283 | "minimum": 10 284 | } 285 | }, 286 | "required": [ "height", "width" ] 287 | }, 288 | "connector": { 289 | "description": "The data flows and boundary geometry", 290 | "type": "string" 291 | }, 292 | "source": { 293 | "description": "The component curve source", 294 | "type": "object", 295 | "properties": { 296 | "cell": { 297 | "description": "The data-flow source attachment point", 298 | "type": "string" 299 | }, 300 | "x": { 301 | "description": "The boundary horizontal curve source", 302 | "type": "integer" 303 | }, 304 | "y": { 305 | "description": "The boundary vertical curve source", 306 | "type": "integer" 307 | } 308 | } 309 | }, 310 | "target": { 311 | "description": "The component curve target", 312 | "type": "object", 313 | "properties": { 314 | "cell": { 315 | "description": "The data-flow target attachment point", 316 | "type": "string" 317 | }, 318 | "x": { 319 | "description": "The boundary horizontal curve target", 320 | "type": "integer" 321 | }, 322 | "y": { 323 | "description": "The boundary vertical curve target", 324 | "type": "integer" 325 | } 326 | } 327 | }, 328 | "threats": { 329 | "description": "The threats associated with the component", 330 | "type": "array", 331 | "items": { 332 | "type": "object", 333 | "properties": { 334 | "description": { 335 | "description": "The threat description", 336 | "type": "string" 337 | }, 338 | "mitigation": { 339 | "description": "The threat mitigation", 340 | "type": "string" 341 | }, 342 | "modelType": { 343 | "description": "The threat methodology type", 344 | "type": "string" 345 | }, 346 | "number": { 347 | "description": "The unique number for the threat", 348 | "type": "integer", 349 | "minimum": 0 350 | }, 351 | "score": { 352 | "description": "The custom score/risk for the threat", 353 | "type": "string" 354 | }, 355 | "severity": { 356 | "description": "The threat severity as High, Medium or Low", 357 | "type": "string" 358 | }, 359 | "status": { 360 | "description": "The threat status as NA, Open or Mitigated", 361 | "type": "string" 362 | }, 363 | "threatId": { 364 | "description": "The threat ID as a UUID", 365 | "type": "string", 366 | "minLength": 36 367 | }, 368 | "title": { 369 | "description": "The threat title", 370 | "type": "string" 371 | }, 372 | "type": { 373 | "description": "The threat type, selection according to modelType", 374 | "type": "string" 375 | } 376 | }, 377 | "required": [ "description", "mitigation", "severity", "status", "title", "type" ] 378 | } 379 | }, 380 | "shape": { 381 | "description": "The component shape", 382 | "type": "string" 383 | }, 384 | "visible": { 385 | "description": "The component visibility", 386 | "type": "boolean" 387 | }, 388 | "vertices": { 389 | "description": "The boundary or data-flow curve points", 390 | "type": "array", 391 | "items": { 392 | "type": "object", 393 | "properties": { 394 | "x": { 395 | "description": "The horizontal value of the curve point", 396 | "type": "number" 397 | }, 398 | "y": { 399 | "description": "The vertical value of the curve point", 400 | "type": "number" 401 | } 402 | }, 403 | "required": [ "x", "y" ] 404 | } 405 | }, 406 | "zIndex": { 407 | "description": "The component Z-plane", 408 | "type": "integer" 409 | } 410 | }, 411 | "required": [ "id", "shape", "zIndex" ] 412 | } 413 | } 414 | }, 415 | "required": [ "cells", "diagramType", "id", "thumbnail", "title", "version" ] 416 | } 417 | }, 418 | "diagramTop": { 419 | "description": "The highest diagram number in the threat model", 420 | "type": "integer", 421 | "minimum": 0 422 | }, 423 | "reviewer": { 424 | "description": "The reviewer of the overall threat model", 425 | "type": "string" 426 | }, 427 | "threatTop": { 428 | "description": "The highest threat number in the threat model", 429 | "type": "integer", 430 | "minimum": 0 431 | } 432 | }, 433 | "required": [ "contributors", "diagrams", "diagramTop", "reviewer", "threatTop" ] 434 | } 435 | }, 436 | "required": [ "version", "summary", "detail" ] 437 | } 438 | -------------------------------------------------------------------------------- /assets/schemas/threat.model.format.schema.json: -------------------------------------------------------------------------------- 1 | { 2 | "$id": "https://owasp.org/www-project-threat-dragon/assets/schemas/threat.model.format.schema.json", 3 | "title": "Threat Model Format", 4 | "description": "An open Threat Model Format (TMF) for threat models", 5 | "type": "object", 6 | "properties": { 7 | "tmfVersion": { 8 | "description": "The version of TMF using semantic versioning", 9 | "type": "string", 10 | "minLength": 5 11 | }, 12 | "project": { 13 | "description": "Threat Model metadata", 14 | "type": "object", 15 | "properties": { 16 | "title": { 17 | "description": "The title or name of the threat model project", 18 | "type": "string", 19 | "minLength": 1 20 | }, 21 | "version": { 22 | "description": "The version of the threat model", 23 | "type": "string" 24 | }, 25 | "appVersion": { 26 | "description": "The version of threat model program", 27 | "type": "string" 28 | }, 29 | "id": { 30 | "description": "A unique identifier for the threat model project", 31 | "type": "string" 32 | }, 33 | "overview": { 34 | "description": "An overview / description of the threat model", 35 | "type": [ "object", "string" ], 36 | "properties": { 37 | "business": { 38 | "description": "A business overview of the threat model", 39 | "type": "string" 40 | }, 41 | "technical": { 42 | "description": "A technical overview of the threat model", 43 | "type": "string" 44 | } 45 | } 46 | }, 47 | "owner": { 48 | "description": "The owner of the threat model project", 49 | "type": [ "object", "string" ], 50 | "properties": { 51 | "name": { 52 | "description": "The name of the owner", 53 | "type": "string" 54 | }, 55 | "contact": { 56 | "description": "Contact details for the owner", 57 | "type": "string" 58 | } 59 | } 60 | }, 61 | "reviewers": { 62 | "description": "The reviewers to the threat model project", 63 | "type": [ "array", "string" ], 64 | "items": { 65 | "description": "The reviewer", 66 | "type": [ "object", "string" ], 67 | "properties": { 68 | "name": { 69 | "description": "The name of the reviewer", 70 | "type": "string" 71 | }, 72 | "contact": { 73 | "description": "Contact details for the reviewer", 74 | "type": "string" 75 | } 76 | } 77 | } 78 | }, 79 | "contributors": { 80 | "description": "The contributors to the threat model project", 81 | "type": [ "array", "string" ], 82 | "items": { 83 | "description": "The contributor", 84 | "type": [ "object", "string" ], 85 | "properties": { 86 | "name": { 87 | "description": "The name of the contributor", 88 | "type": "string" 89 | }, 90 | "contact": { 91 | "description": "Contact details for the contributor", 92 | "type": "string" 93 | } 94 | } 95 | } 96 | }, 97 | "required": [ "title" ] 98 | } 99 | }, 100 | "representations": { 101 | "description": "An array of representations of the threat model", 102 | "type": "array", 103 | "items": { 104 | "description": "A representation of the threat model", 105 | "type": "object", 106 | "properties": { 107 | "title": { "$ref": "#/$defs/title" }, 108 | "id": { "$ref": "#/$defs/id" }, 109 | "overview": { 110 | "description": "A description of the representation", 111 | "type": "string" 112 | } 113 | }, 114 | "required": [ "title", "id" ] 115 | } 116 | }, 117 | "requirements": { 118 | "description": "An array of security requirements for the threat model", 119 | "type": "array", 120 | "items": { 121 | "description": "A security requirement for the threat model", 122 | "type": "object", 123 | "properties": { 124 | "title": { "$ref": "#/$defs/title" }, 125 | "id": { "$ref": "#/$defs/id" }, 126 | "description": { 127 | "description": "A description of the security requirement", 128 | "type": "string" 129 | } 130 | }, 131 | "required": [ "title", "id" ] 132 | } 133 | }, 134 | "actors": { 135 | "description": "An array of actors in the threat model", 136 | "type": "array", 137 | "items": { 138 | "description": "An actor described by the threat model", 139 | "type": "object", 140 | "properties": { 141 | "title": { "$ref": "#/$defs/title" }, 142 | "id": { "$ref": "#/$defs/id" }, 143 | "description": { 144 | "description": "A description of the actor", 145 | "type": "string" 146 | } 147 | }, 148 | "required": [ "title", "id" ] 149 | } 150 | }, 151 | "assets": { 152 | "description": "An array of assets in the threat model", 153 | "type": "array", 154 | "items": { 155 | "description": "An asset described in the threat model", 156 | "type": "object", 157 | "properties": { 158 | "title": { "$ref": "#/$defs/title" }, 159 | "id": { "$ref": "#/$defs/id" }, 160 | "description": { 161 | "description": "A description of the asset", 162 | "type": "string" 163 | } 164 | }, 165 | "required": [ "title", "id" ] 166 | } 167 | }, 168 | "assumptions": { 169 | "description": "An array of assumptions made in the threat model", 170 | "type": "array", 171 | "items": { 172 | "description": "An assumption made in the threat model", 173 | "type": "object", 174 | "properties": { 175 | "title": { "$ref": "#/$defs/title" }, 176 | "id": { "$ref": "#/$defs/id" }, 177 | "description": { 178 | "description": "A description of the assumption", 179 | "type": "string" 180 | } 181 | }, 182 | "required": [ "title", "id" ] 183 | } 184 | }, 185 | "boundaries": { 186 | "description": "An array of (trust) boundaries in the threat model", 187 | "type": "array", 188 | "items": { 189 | "description": "A boundary described in the threat model", 190 | "type": "object", 191 | "properties": { 192 | "title": { "$ref": "#/$defs/title" }, 193 | "id": { "$ref": "#/$defs/id" }, 194 | "description": { 195 | "description": "A description of the boundary", 196 | "type": "string" 197 | } 198 | }, 199 | "required": [ "title", "id" ] 200 | } 201 | }, 202 | "data": { 203 | "description": "An array of data descriptions in the threat model, at rest or in transit", 204 | "type": "array", 205 | "items": { 206 | "description": "A data description included in the threat model", 207 | "type": "object", 208 | "properties": { 209 | "title": { "$ref": "#/$defs/title" }, 210 | "id": { "$ref": "#/$defs/id" }, 211 | "description": { 212 | "description": "A description for the data description", 213 | "type": "string" 214 | } 215 | }, 216 | "required": [ "title", "id" ] 217 | } 218 | }, 219 | "findings": { 220 | "description": "An array of findings identified in the threat model", 221 | "type": "array", 222 | "items": { 223 | "description": "A finding identified in the threat model", 224 | "type": "object", 225 | "properties": { 226 | "title": { "$ref": "#/$defs/title" }, 227 | "id": { "$ref": "#/$defs/id" }, 228 | "exclude": { 229 | "description": "The status of exclusion for the finding", 230 | "type": "object", 231 | "properties": { 232 | "excluded": { 233 | "description": "Mark the finding in the threat model as excluded", 234 | "type": "boolean" 235 | }, 236 | "reason": { 237 | "description": "The reason for excluding the finding, such as false positive", 238 | "type": "string" 239 | } 240 | } 241 | }, 242 | "description": { 243 | "description": "A description of the finding", 244 | "type": "string" 245 | } 246 | }, 247 | "required": [ "title", "id" ] 248 | } 249 | }, 250 | "flows": { 251 | "description": "An array of data flows for the threat model", 252 | "type": "array", 253 | "items": { 254 | "description": "A data flow included in the threat model", 255 | "type": "object", 256 | "properties": { 257 | "title": { "$ref": "#/$defs/title" }, 258 | "id": { "$ref": "#/$defs/id" }, 259 | "description": { 260 | "description": "A description of the data flow", 261 | "type": "string" 262 | } 263 | }, 264 | "required": [ "title", "id" ] 265 | } 266 | }, 267 | "elements": { 268 | "description": "An array of elements in the threat model", 269 | "type": "array", 270 | "items": { 271 | "description": "An element included in the threat model such as processes, servers, functions etc", 272 | "type": "object", 273 | "properties": { 274 | "title": { "$ref": "#/$defs/title" }, 275 | "id": { "$ref": "#/$defs/id" }, 276 | "description": { 277 | "description": "A description of the process", 278 | "type": "string" 279 | } 280 | }, 281 | "required": [ "title", "id" ] 282 | } 283 | }, 284 | "remediations": { 285 | "description": "An array of remediations in the threat model", 286 | "type": "array", 287 | "items": { 288 | "description": "A remediation included in the threat model", 289 | "type": "object", 290 | "properties": { 291 | "title": { "$ref": "#/$defs/title" }, 292 | "id": { "$ref": "#/$defs/id" }, 293 | "description": { 294 | "description": "A description of the remediation", 295 | "type": "string" 296 | } 297 | }, 298 | "required": [ "title", "id" ] 299 | } 300 | }, 301 | "threats": { 302 | "description": "An array of threats identified in the threat model", 303 | "type": "array", 304 | "items": { 305 | "description": "A threat identified in the threat model", 306 | "type": "object", 307 | "properties": { 308 | "title": { "$ref": "#/$defs/title" }, 309 | "id": { "$ref": "#/$defs/id" }, 310 | "description": { 311 | "description": "A description of the threat", 312 | "type": "string" 313 | } 314 | }, 315 | "required": [ "title", "id" ] 316 | } 317 | } 318 | }, 319 | "required": [ "project" ], 320 | "$defs": { 321 | "id": { 322 | "description": "A unique identifier such as a UUID", 323 | "type": "string", 324 | "minLength": 1 325 | }, 326 | "title": { 327 | "description": "A title that may also be used as a label", 328 | "type": "string", 329 | "minLength": 1 330 | }, 331 | "position": { 332 | "description": "Diagram element position", 333 | "type": "object", 334 | "properties": { 335 | "x": { 336 | "description": "Element horizontal position that may be negative", 337 | "type": "number" 338 | }, 339 | "y": { 340 | "description": "Element vertical position that may be negative", 341 | "type": "number" 342 | } 343 | }, 344 | "required": ["x", "y"] 345 | }, 346 | "size": { 347 | "description": "Diagram element geometry", 348 | "type": "object", 349 | "properties": { 350 | "width": { 351 | "description": "Element width that cannot be negative", 352 | "type": "number", 353 | "minimum": 0 354 | }, 355 | "height": { 356 | "description": "Element height that cannot be negative", 357 | "type": "number", 358 | "minimum": 0 359 | } 360 | }, 361 | "required": ["width", "height"] 362 | } 363 | } 364 | } 365 | -------------------------------------------------------------------------------- /code_of_conduct.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | We as members, contributors, and leaders pledge to make participation in our 6 | community a harassment-free experience for everyone, regardless of age, body 7 | size, visible or invisible disability, ethnicity, sex characteristics, gender 8 | identity and expression, level of experience, education, socio-economic status, 9 | nationality, personal appearance, race, caste, color, religion, or sexual identity 10 | and orientation. 11 | 12 | We pledge to act and interact in ways that contribute to an open, welcoming, 13 | diverse, inclusive, and healthy community. 14 | 15 | ## Our Standards 16 | 17 | Examples of behavior that contributes to a positive environment for our 18 | community include: 19 | 20 | * Demonstrating empathy and kindness toward other people 21 | * Being respectful of differing opinions, viewpoints, and experiences 22 | * Giving and gracefully accepting constructive feedback 23 | * Accepting responsibility and apologizing to those affected by our mistakes, 24 | and learning from the experience 25 | * Focusing on what is best not just for us as individuals, but for the 26 | overall community 27 | 28 | Examples of unacceptable behavior include: 29 | 30 | * The use of sexualized language or imagery, and sexual attention or 31 | advances of any kind 32 | * Trolling, insulting or derogatory comments, and personal or political attacks 33 | * Public or private harassment 34 | * Publishing others' private information, such as a physical or email 35 | address, without their explicit permission 36 | * Other conduct which could reasonably be considered inappropriate in a 37 | professional setting 38 | 39 | ## Enforcement Responsibilities 40 | 41 | Community leaders are responsible for clarifying and enforcing our standards of 42 | acceptable behavior and will take appropriate and fair corrective action in 43 | response to any behavior that they deem inappropriate, threatening, offensive, 44 | or harmful. 45 | 46 | Community leaders have the right and responsibility to remove, edit, or reject 47 | comments, commits, code, wiki edits, issues, and other contributions that are 48 | not aligned to this Code of Conduct, and will communicate reasons for moderation 49 | decisions when appropriate. 50 | 51 | ## Scope 52 | 53 | This Code of Conduct applies within all community spaces, and also applies when 54 | an individual is officially representing the community in public spaces. 55 | Examples of representing our community include using an official e-mail address, 56 | posting via an official social media account, or acting as an appointed 57 | representative at an online or offline event. 58 | 59 | ## Enforcement 60 | 61 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 62 | reported to the community leaders responsible for enforcement by 63 | emailing [the project team](mailto:owasp.foundation@owasp.org) at the OWASP foundation. 64 | All complaints will be reviewed and investigated promptly and fairly. 65 | 66 | All community leaders are obligated to respect the privacy and security of the 67 | reporter of any incident. 68 | 69 | ## Enforcement Guidelines 70 | 71 | Community leaders will follow these Community Impact Guidelines in determining 72 | the consequences for any action they deem in violation of this Code of Conduct: 73 | 74 | ### 1. Correction 75 | 76 | **Community Impact**: Use of inappropriate language or other behavior deemed 77 | unprofessional or unwelcome in the community. 78 | 79 | **Consequence**: A private, written warning from community leaders, providing 80 | clarity around the nature of the violation and an explanation of why the 81 | behavior was inappropriate. A public apology may be requested. 82 | 83 | ### 2. Warning 84 | 85 | **Community Impact**: A violation through a single incident or series 86 | of actions. 87 | 88 | **Consequence**: A warning with consequences for continued behavior. No 89 | interaction with the people involved, including unsolicited interaction with 90 | those enforcing the Code of Conduct, for a specified period of time. This 91 | includes avoiding interactions in community spaces as well as external channels 92 | like social media. Violating these terms may lead to a temporary or 93 | permanent ban. 94 | 95 | ### 3. Temporary Ban 96 | 97 | **Community Impact**: A serious violation of community standards, including 98 | sustained inappropriate behavior. 99 | 100 | **Consequence**: A temporary ban from any sort of interaction or public 101 | communication with the community for a specified period of time. No public or 102 | private interaction with the people involved, including unsolicited interaction 103 | with those enforcing the Code of Conduct, is allowed during this period. 104 | Violating these terms may lead to a permanent ban. 105 | 106 | ### 4. Permanent Ban 107 | 108 | **Community Impact**: Demonstrating a pattern of violation of community 109 | standards, including sustained inappropriate behavior, harassment of an 110 | individual, or aggression toward or disparagement of classes of individuals. 111 | 112 | **Consequence**: A permanent ban from any sort of public interaction within 113 | the community. 114 | 115 | ## Attribution 116 | 117 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], 118 | version 2.0, available from the [contributor covenant][cofc] site. 119 | 120 | Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder][diversity]. 121 | 122 | See the [FAQ][faq] for answers to common questions about this code of conduct, 123 | and translations are available of this [contributor covenant][translate]. 124 | 125 | [cofc]: https://www.contributor-covenant.org/version/2/0/code_of_conduct.html 126 | [diversity]: https://github.com/mozilla/diversity 127 | [faq]: https://www.contributor-covenant.org/faq 128 | [homepage]: https://www.contributor-covenant.org 129 | [translate]: https://www.contributor-covenant.org/translations 130 | -------------------------------------------------------------------------------- /contributing.md: -------------------------------------------------------------------------------- 1 | # Contributing to OWASP Threat Dragon 2 | 3 | Threat Dragon is a community project, and we are always delighted to welcome new contributors! 4 | 5 | When contributing: 6 | 7 | * see if there is [already an issue](https://github.com/OWASP/www-project-threat-dragon/issues) for what you want to do 8 | * follow our [Code of Conduct](code_of_conduct.md) 9 | 10 | ## Got a Question or Problem? 11 | 12 | If you have a question or problem relating to using Threat Dragon then the first thing to do is to check the 13 | [Frequently Asked Questions](https://owasp.org/www-project-threat-dragon/#div-faqs) tab 14 | on the [OWASP project page](https://owasp.org/www-project-threat-dragon/). 15 | Threat Dragon documentation is [available online](https://www.threatdragon.com/docs/). 16 | 17 | If this does not help then one of the 18 | [leaders / collaborators](https://github.com/OWASP/www-project-threat-dragon/blob/main/leaders.md) 19 | should be able to help. 20 | 21 | ## Found an Issue? 22 | 23 | If you have found a bug then raise an issue on 24 | [Threat Dragon](https://github.com/OWASP/www-project-threat-dragon/issues/), 25 | and make sure you have logged into github first. 26 | 27 | It is worth checking to see if its [already been reported](https://github.com/OWASP/www-project-threat-dragon/issues), 28 | and including as much information as you can to help us diagnose your problem. 29 | 30 | ## Found a Vulnerability? 31 | 32 | If you think you have found a vulnerability in Threat Dragon then please report it to our 33 | [leaders / collaborators](https://github.com/OWASP/www-project-threat-dragon/blob/main/leaders.md). 34 | 35 | We are always very grateful to researchers who report vulnerabilities responsibly and are very happy 36 | to give all credit for the valuable assistance they provide. 37 | 38 | ## Have a Feature Request? 39 | 40 | If you have a suggestion for new functionality then you can raise this request as an issue on 41 | [Threat Dragon](https://github.com/OWASP/threat-dragon/issues/new/choose). 42 | 43 | Worth checking to see if its [already been reported](https://github.com/OWASP/threat-dragon/issues), 44 | and include as much information as you can so that we can fully understand your requirements. 45 | 46 | ## Coding 47 | 48 | There is always lots of coding to be done! Threat Dragon welcomes contributions and issues: 49 | [TD github repo](https://github.com/OWASP/threat-dragon/issues) 50 | 51 | ---- 52 | 53 | Threat Dragon: _making threat modeling less threatening_ 54 | -------------------------------------------------------------------------------- /docs-1/about.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: About 4 | layout: redirected 5 | tags: threatdragon 6 | document: Threat Dragon version 1.6.1 7 | permalink: /docs-1/about/ 8 | redirect_to: https://threatdragon.github.io/about 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-1/api.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: API 4 | layout: redirected 5 | tags: threatdragon 6 | document: Threat Dragon version 1.6.1 7 | permalink: /docs-1/api/ 8 | redirect_to: https://threatdragon.github.io/api/ 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-1/cli.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: CLI 4 | layout: redirected 5 | tags: threatdragon 6 | document: Threat Dragon version 1.6.1 7 | permalink: /docs-1/cli/ 8 | redirect_to: https://threatdragon.github.io/cli/ 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-1/contributing.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Contributing 4 | layout: redirected 5 | tags: threatdragon 6 | document: Threat Dragon version 1.6.1 7 | permalink: /docs-1/contributing/ 8 | redirect_to: https://threatdragon.github.io/contribute/ 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-1/credits.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Credits 4 | layout: redirected 5 | tags: threatdragon 6 | document: Threat Dragon version 1.6.1 7 | permalink: /docs-1/credits/ 8 | redirect_to: https://threatdragon.github.io/credits/ 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-1/downloads.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Downloads 4 | layout: redirected 5 | tags: threatdragon 6 | document: Threat Dragon version 1.6.1 7 | permalink: /docs-1/downloads/ 8 | redirect_to: https://threatdragon.github.io/downloads/ 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-1/getting-started.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Getting started 4 | layout: redirected 5 | tags: threatdragon 6 | document: Threat Dragon version 1.6.1 7 | permalink: /docs-1/getting-started/ 8 | redirect_to: https://threatdragon.github.io/getting-started/ 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-1/info.md: -------------------------------------------------------------------------------- 1 | {% include navigation.html collection="docs-1" %} 2 | -------------------------------------------------------------------------------- /docs-1/install/info.md: -------------------------------------------------------------------------------- 1 | {% include navigation.html collection="docs-1" %} 2 | -------------------------------------------------------------------------------- /docs-1/install/install-desktop.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Install desktop 4 | layout: redirected 5 | tags: threatdragon 6 | document: Threat Dragon version 1.6.1 7 | permalink: /docs-1/install-desktop/ 8 | redirect_to: https://threatdragon.github.io/install-desktop/ 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-1/install/install-webapp.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Install web app 4 | layout: redirected 5 | tags: threatdragon 6 | document: Threat Dragon version 1.6.1 7 | permalink: /docs-1/install-webapp/ 8 | redirect_to: https://threatdragon.github.io/install-webapp/ 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-1/install/install.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Install 4 | layout: redirected 5 | tags: threatdragon 6 | document: Threat Dragon version 1.6.1 7 | permalink: /docs-1/install/ 8 | redirect_to: https://threatdragon.github.io/install/ 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-1/install/setup-env.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Install environment 4 | layout: redirected 5 | tags: threatdragon 6 | document: Threat Dragon version 1.6.1 7 | permalink: /docs-1/setup/ 8 | redirect_to: https://threatdragon.github.io/setup-env/ 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-1/introduction.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Home 4 | layout: redirected 5 | tags: threatdragon 6 | document: Threat Dragon version 1.6.1 7 | permalink: /docs-1/introduction/ 8 | redirect_to: https://threatdragon.github.io/home 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-1/threat-generation.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Threat generation 4 | layout: redirected 5 | tags: threatdragon 6 | document: Threat Dragon version 1.6.1 7 | permalink: /docs-1/threat-generation/ 8 | redirect_to: https://threatdragon.github.io/threat-generation/ 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-1/threat-model-diagrams.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Threat model diagrams 4 | layout: redirected 5 | tags: threatdragon 6 | document: Threat Dragon version 1.6.1 7 | permalink: /docs-1/diagrams/ 8 | redirect_to: https://threatdragon.github.io/threat-model-diagrams/ 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-1/toc.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Table of Contents 4 | layout: redirected 5 | tags: threatdragon 6 | document: Threat Dragon version 1.6.1 7 | permalink: /docs-1/ 8 | redirect_to: https://threatdragon.github.io/ 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/about.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: About 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/about/ 8 | redirect_to: https://www.threatdragon.com/docs/home/about.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/credits.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Credits 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/credits/ 8 | redirect_to: https://www.threatdragon.com/docs/home/credits.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/development/api.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: API 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/api/ 8 | redirect_to: https://www.threatdragon.com/docs/development/api.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/development/contributing.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Contributing 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/contributing/ 8 | redirect_to: https://www.threatdragon.com/docs/development/contributing.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/development/environment.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Development environment 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/development-environment/ 8 | redirect_to: https://www.threatdragon.com/docs/development/environment.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/development/info.md: -------------------------------------------------------------------------------- 1 | {% include navigation.html collection="docs-2" %} 2 | -------------------------------------------------------------------------------- /docs-2/development/internationalization.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Translations 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/internationalization/ 8 | redirect_to: https://www.threatdragon.com/docs/development/translations.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/development/local-development.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Development 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/local-development/ 8 | redirect_to: https://www.threatdragon.com/docs/development/development.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/development/schema.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Schema 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/schema/ 8 | redirect_to: https://www.threatdragon.com/docs/development/schema.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/development/testing/actions.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Pipeline actions 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/pipeline-actions/ 8 | redirect_to: https://www.threatdragon.com/docs/testing/actions.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/development/testing/adhoc.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Testing 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/adhoc/ 8 | redirect_to: https://www.threatdragon.com/docs/testing/testing.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/development/testing/e2e.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: End to end testing 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/e2e/ 8 | redirect_to: https://www.threatdragon.com/docs/testing/e2e.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/development/testing/info.md: -------------------------------------------------------------------------------- 1 | {% include navigation.html collection="docs-2" %} 2 | -------------------------------------------------------------------------------- /docs-2/development/testing/unit.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Unit testing 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/unit/ 8 | redirect_to: https://www.threatdragon.com/docs/testing/unit.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/info.md: -------------------------------------------------------------------------------- 1 | {% include navigation.html collection="docs-2" %} 2 | -------------------------------------------------------------------------------- /docs-2/introduction.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Introduction 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/introduction/ 8 | redirect_to: https://www.threatdragon.com/docs/ 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/toc.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Table of Contents 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/ 8 | redirect_to: https://www.threatdragon.com/docs/ 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/trust/container.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Container scanning 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/container/ 8 | redirect_to: https://www.threatdragon.com/docs/trust/container.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/trust/dast.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: DAST 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/dast/ 8 | redirect_to: https://www.threatdragon.com/docs/trust/dast.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/trust/dependencies.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Dependency management 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/dependencies/ 8 | redirect_to: https://www.threatdragon.com/docs/trust/dependencies.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/trust/incidents.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Trust 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/incidents/ 8 | redirect_to: https://www.threatdragon.com/docs/trust/trust.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/trust/info.md: -------------------------------------------------------------------------------- 1 | {% include navigation.html collection="docs-2" %} 2 | -------------------------------------------------------------------------------- /docs-2/trust/sast.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: SAST 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/sast/ 8 | redirect_to: https://www.threatdragon.com/docs/trust/sast.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/usage/config/bitbucket.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Configure Bitbucket access 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/bitbucket-repo/ 8 | redirect_to: https://www.threatdragon.com/docs/configure/bitbucket.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/usage/config/environment.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Configure environment 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/install-environment/ 8 | redirect_to: https://www.threatdragon.com/docs/configure/configure.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/usage/config/github.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Configure Github access 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/github-repo/ 8 | redirect_to: https://www.threatdragon.com/docs/configure/github.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/usage/config/gitlab.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Configure GitLab access 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/gitlab-repo/ 8 | redirect_to: https://www.threatdragon.com/docs/configure/gitlab.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/usage/config/google.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Configure Google Drive access 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/google-drive/ 8 | redirect_to: https://www.threatdragon.com/docs/configure/google.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/usage/config/info.md: -------------------------------------------------------------------------------- 1 | {% include navigation.html collection="docs-2" %} 2 | -------------------------------------------------------------------------------- /docs-2/usage/config/local.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Configure local access 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/local-file/ 8 | redirect_to: https://www.threatdragon.com/docs/configure/local.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/usage/info.md: -------------------------------------------------------------------------------- 1 | {% include navigation.html collection="docs-2" %} 2 | -------------------------------------------------------------------------------- /docs-2/usage/install/desktop.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Install Desktop 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/install-desktop/ 8 | redirect_to: https://www.threatdragon.com/docs/install/desktop.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/usage/install/docker.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Install Docker 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/install-docker/ 8 | redirect_to: https://www.threatdragon.com/docs/install/docker.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/usage/install/info.md: -------------------------------------------------------------------------------- 1 | {% include navigation.html collection="docs-2" %} 2 | -------------------------------------------------------------------------------- /docs-2/usage/install/installation.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Installation 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/install-options/ 8 | redirect_to: https://www.threatdragon.com/docs/install/installation.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/usage/install/web.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Install Web Application 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/install-webapp/ 8 | redirect_to: https://www.threatdragon.com/docs/install/web.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/usage/modeling/diagrams.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Diagrams 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/diagrams/ 8 | redirect_to: https://www.threatdragon.com/docs/usage/diagrams.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/usage/modeling/getting-started.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Getting started 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/getting-started/ 8 | redirect_to: https://www.threatdragon.com/docs/usage/getting-started.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/usage/modeling/info.md: -------------------------------------------------------------------------------- 1 | {% include navigation.html collection="docs-2" %} 2 | -------------------------------------------------------------------------------- /docs-2/usage/modeling/threat-categories.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Threat Categories 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/threat-categories/ 8 | redirect_to: https://www.threatdragon.com/docs/usage/threat-categories.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /docs-2/usage/modeling/threats.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | title: Threats 4 | layout: redirected 5 | tags: threatdragon 6 | document: OWASP Threat Dragon version 2.4 7 | permalink: /docs-2/threats/ 8 | redirect_to: https://www.threatdragon.com/docs/usage/threats.html 9 | 10 | --- 11 | -------------------------------------------------------------------------------- /index.md: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | layout: col-sidebar 4 | title: OWASP Threat Dragon 5 | tags: threatdragon 6 | project: true 7 | level: 3 8 | type: tool 9 | pitch: OWASP Threat Dragon is a threat modeling tool; great for both developers and defenders alike. Use on your desktop or as a web application. 10 | 11 | --- 12 | 13 | 21 | 22 | ![cupcake logo](/assets/images/cupcake-256x256.png){: .image-right } 23 | 24 | ## What is Threat Dragon? 25 | 26 | OWASP Threat Dragon is a modeling tool used to create threat model diagrams as part of a secure development lifecycle. 27 | Threat Dragon follows the values and principles of the [threat modeling manifesto][manifesto]. 28 | It can be used to record possible threats and decide on their mitigations, as well as giving a visual indication 29 | of the threat model components and threat surfaces. 30 | Threat Dragon runs either as a web application or as a desktop application. 31 | 32 | Threat Dragon supports STRIDE / [LINDDUN](https://www.linddun.org/) / CIA / DIE / [PLOT4ai](https://plot4.ai/), 33 | provides modeling diagrams and implements a rule engine to auto-generate threats and their mitigations. 34 | 35 | ### Resources 36 | 37 | Use the [version 1][docs-1] or [version 2][docs-2] documentation to get started, 38 | along with the recording of Mike Goodwin giving a [lightning demo][demo] 39 | during the OWASP Open Security Summit in June 2020. 40 | 41 | An [introduction](https://www.youtube.com/watch?v=hUOAoc6QGJo) to Threat Dragon is provided by 42 | the [OWASP Spotlight](https://www.youtube.com/playlist?list=PLUKo5k_oSrfOTl27gUmk2o-NBKvkTGw0T) series, 43 | and the [Threat Modeling Gamification](https://www.youtube.com/watch?v=u2tmLrwv-nc) seminar by Vlad Styran 44 | shows how using Threat Dragon can make threat modeling fun. 45 | 46 | There are a couple of OWASP community pages that give overviews on Threat Modeling and how to get started: 47 | [Threat Modeling](https://owasp.org/www-community/Threat_Modeling) 48 | and [Threat Modeling Process](https://owasp.org/www-community/Threat_Modeling_Process). 49 | 50 | The easiest way to get in contact with the Threat Dragon community is via the OWASP Slack 51 | [#project-threat-dragon](https://owasp.slack.com/messages/CURE8PQ68) project channel, 52 | you may need to [subscribe](https://owasp.org/slack/invite) first. 53 | 54 | ### Related Projects 55 | 56 | * [OWASP pytm (Pythonic Threat Modeling)][pytm] 57 | * [Threat Modeling OWASP Cheat Sheet][tmcs] 58 | * [Threagile - Agile Threat Modeling][threagile], an (non-OWASP) open source project 59 | 60 | ---- 61 | 62 | Threat Dragon: _making threat modeling less threatening_ 63 | 64 | [demo]: https://youtu.be/n6JGcZGFq5o 65 | [docs-1]: https://threatdragon.github.io/ 66 | [docs-2]: https://www.threatdragon.com/docs/ 67 | [manifesto]: https://www.threatmodelingmanifesto.org/ 68 | [pytm]: https://owasp.org/www-project-pytm/ 69 | [threagile]: https://threagile.io 70 | [tmcs]: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html 71 | -------------------------------------------------------------------------------- /info.md: -------------------------------------------------------------------------------- 1 | ### Classification 2 | 3 | * Lab Project 4 | * Tool 5 | 6 | ### Audience 7 | 8 | * Builder 9 | * Defender 10 | 11 | ### Documentation 12 | 13 | * [Version 1.6.x](https://threatdragon.github.io/) 14 | * [Version 2.x](https://www.threatdragon.com/docs/) 15 | * [Demonstration](https://www.threatdragon.com/) 16 | 17 | ### Downloads 18 | 19 | * Single page [web application](https://github.com/OWASP/threat-dragon/releases/tag/v2.4.1) 20 | * Docker [image](https://hub.docker.com/r/owasp/threat-dragon/tags?page=1&ordering=name) 21 | * Desktop installers for: 22 | * [Linux / MacOS / Windows](https://github.com/OWASP/threat-dragon/releases/tag/v2.4.1) 23 | 24 | ### Source 25 | 26 | * Threat Dragon [github repo](https://github.com/OWASP/threat-dragon) 27 | 28 | ### Licensing 29 | 30 | * [Apache 2 License](https://www.apache.org/licenses/LICENSE-2.0) 31 | -------------------------------------------------------------------------------- /leaders.md: -------------------------------------------------------------------------------- 1 | ### Leaders 2 | 3 | * [Mike Goodwin](mailto:mike.goodwin@owasp.org) 4 | * [Jon Gadsden](mailto:jon.gadsden@owasp.org) 5 | * [Leo Reading](mailto:leo.reading@owasp.org) 6 | 7 | ### Main Contributors 8 | 9 | * [Mohamed El-Bohy](https://github.com/mohamedselbohy) 10 | -------------------------------------------------------------------------------- /license.txt: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2017 Mike Goodwin 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | 203 | -------------------------------------------------------------------------------- /security.md: -------------------------------------------------------------------------------- 1 | ## Security Policy 2 | 3 | It is not impossible that a malicious actor could somehow embed malware in the markdown 4 | or subvert the scripts for this project. 5 | If you find anything suspicious in this Threat Dragon site then please let us know ASAP 6 | and we will fix it as a priority. 7 | 8 | Open a [security advisory][advisory] and this will be provided 9 | only to the project's admins and in strict confidence. 10 | 11 | [advisory]: https://github.com/OWASP/www-project-threat-dragon/security/advisories/new 12 | -------------------------------------------------------------------------------- /tab_faqs.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Faqs 3 | displaytext: FAQs 4 | layout: null 5 | tab: true 6 | order: 2 7 | tags: threatdragon 8 | --- 9 | 10 | ## FAQs 11 | 12 | * [Where are the arrows that allow me to create data flows?](https://github.com/OWASP/threat-dragon/wiki/FAQs#where-are-the-arrows-that-allow-me-to-create-dataflows) 13 | 14 | * [Why do the earlier releases come from Mike Goodwin's repo, not the OWASP repo?](https://github.com/OWASP/threat-dragon/wiki/FAQs#why-do-the-earlier-releases-come-from-mike-goodwins-repo-not-the-owasp-repo) 15 | 16 | * [I get failures when installing from source code](https://github.com/OWASP/threat-dragon/wiki/FAQs#i-get-failures-when-installing-from-source-code) 17 | 18 | * [I get a failure when printing a report](https://github.com/OWASP/threat-dragon/wiki/FAQs#i-get-a-failure-when-printing-a-report) 19 | 20 | * [Why do I get 'OWASP-Threat-Dragon-Setup isn't commonly downloaded' warnings after downloading on Windows?](https://github.com/OWASP/threat-dragon/wiki/FAQs#why-do-i-get-owasp-threat-dragon-setup-isnt-commonly-downloaded-warnings-after-downloading-on-windows) 21 | 22 | * [Why do I get 'Apple cannot check it for malicious software' errors after installing on MacOS?](https://github.com/OWASP/threat-dragon/wiki/FAQs#why-do-i-get-developer-can-not-be-verified-errors-after-installing-on-macos) 23 | 24 | * [Why do I get 'Permissions failure opening Mac desktop app' when installing from the zip file?](https://github.com/OWASP/threat-dragon/wiki/FAQs#why-do-i-get-permissions-failure-opening-mac-desktop-app-when-installing-from-the-zip-file) 25 | 26 | * [Why do I get 'developer can not be verified' errors after installing on MacOS?](https://github.com/OWASP/threat-dragon/wiki/FAQs#why-do-i-get-developer-can-not-be-verified-errors-after-installing-on-macos) 27 | 28 | * [Can I run Threat Dragon Desktop from a command line?](https://github.com/OWASP/threat-dragon/wiki/FAQs#can-i-run-threat-dragon-desktop-from-a-command-line) 29 | 30 | * [Is there a command line interface for Threat Dragon Desktop?](https://github.com/OWASP/threat-dragon/wiki/FAQs#is-there-a-command-line-interface-for-threat-dragon-desktop) 31 | 32 | * [What browsers can be used for Threat Dragon?](https://github.com/OWASP/threat-dragon/wiki/FAQs#what-browsers-can-be-used-for-threat-dragon) 33 | 34 | * [Hold on...isn't this the same as Mozilla's SeaSponge?](https://github.com/OWASP/threat-dragon/wiki/FAQs#hold-onisnt-this-the-same-as-mozillas-seasponge) 35 | 36 | * [When is Threat Dragon's birthday? And does Threat Dragon have a theme tune?](https://github.com/OWASP/threat-dragon/wiki/FAQs#when-is-threat-dragons-birthday-and-does-threat-dragon-have-a-theme-tune) 37 | 38 | ---- 39 | 40 | Threat Dragon: _making threat modeling less threatening_ 41 | -------------------------------------------------------------------------------- /tab_releases.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Releases 3 | layout: null 4 | tab: true 5 | order: 1 6 | tags: threatdragon 7 | --- 8 | 9 | ## Releases 10 | 11 | Release | Date | Location | Comments 12 | ------- | ---- | -------- | -------- 13 | v2.4.1 | Mar 2025 | [github][241] | Bug fix for diagram labels, TBA renamed TBD 14 | v2.4 | Mar 2025 | [github][240] | Additional threat priorities, TLS credentials, export model diagrams, create new repo branches 15 | v2.3 | Dec 2024 | [github][230] | suggest threats by element and threats by context, builds for ARM64 platforms and google sign-in feature 16 | v2.2 | Feb 2024 | [github][220] | add GitLab support and user prompt to save model when quitting 17 | v2.1.3 | Jan 2024 | [github][213] | bug fix for desktop menu discarding diagram edits, add schema for Open Threat Modeling (OTM) 18 | v2.1.2 | Nov 2023 | [github][212] | add Bitbucket access, PLOT4ai threats and bug-fix for data-flows overwriting properties 19 | v2.1.1 | Oct 2023 | [github][211] | desktop version provides guard advising of overwriting threats changes 20 | v2.1 | Oct 2023 | [github][210] | desktop version provides guard advising of overwriting diagram changes 21 | v2.0.9 | Oct 2023 | [github][209] | names for diagram data flow and trust boundary curves preserved when unselected 22 | v2.0.8 | Oct 2023 | [github][208] | diagram component properties correctly displayed when selecting new component 23 | v2.0.7 | Sep 2023 | [github][207] | fix bug when selecting trust boundary curves 24 | v2.0.6 | Sep 2023 | [github][206] | ability to filter Github repos; translation for Finnish; improve data flow selection and handling 25 | v2.0.4 | Aug 2023 | [github][204] | various bug fixes; 26 | v2.0.2 | Apr 2023 | [github][202] | collection of bug fixes; PDF report button, threat IDs fixed, reporting expanded 27 | v2.0 | Feb 2023 | [github][200] | substantial rewrite for new drawing library [@antv/g6][ant] 28 | v1.6.1 | Mar 2022 | [github][161] | Docs now moved to the new site
Last release of 1.x before version 2.0 29 | v1.6 | Dec 2021 | [github][160] | Automated threat and context threat generation 30 | v1.5.8 | Sep 2021 | [github][158] | Shows 'NA' threats as completed/ mitigated
Fixes bug in threat engine (web app only)
Signed binaries for Windows 31 | v1.5.5 | Sep 2021 | [github][155] | MacOS images are signed and notarized
Linux Snap image available as [snapcraft distribution][snap] 32 | v1.4 | 5 May 2021 | [github][140] | Provides dotenv for environment variables
updates to docker image
substantial code reorganisation 33 | v1.3.1 | 26 Oct 2020 | [Web app][131]
[Desktop][131-desk] | update documentation link to point to new docs page 34 | v1.3 | 3 Sep 2020 | [Web app][130]
[Desktop][130-desk] | support for LINDDUN and CIA as well as STRIDE
and desktop command line interface 35 | v1.2 | 14 Apr 2020 | [Web app][120]
[Desktop][120-desk] | description for diagram elements
label applied to boundaries
save button always enabled
zoom functionality disabled
hot key copy and paste for diagram elements 36 | v1.1 | 15 Mar 2020 | [Web app][110] | Duplicate element/diagram feature 37 | v1.1 | 10 Mar 2020 | [Desktop][110-desk] | Bug fix for blank screen on new model,
and duplicate element/diagram feature 38 | v1.0 | 22 Feb 2020 | [Desktop][100-desk] | First full desktop release for Windows, MacOS and Linux 39 | v0.1.27-alpha | 28 Jul 2019 | [Desktop][0127-desk] | Windows desktop only 40 | v0.1.26 | 16 May 2017 | [Desktop][0126-desk] | MacOS and Windows desktop only 41 | 0.3.0 | 14 Mar 2017 | [Web app][030] | alpha release 42 | v0.1.1-alpha | 14 Mar 2016 | [Web app][011] | alpha release 43 | 44 | ---- 45 | 46 | Threat Dragon: _making threat modeling less threatening_ 47 | 48 | [011]: https://github.com/mike-goodwin/owasp-threat-dragon/releases/tag/v0.1.1-alpha 49 | [030]: https://github.com/mike-goodwin/owasp-threat-dragon/releases/tag/0.3.0 50 | [0126-desk]: https://github.com/mike-goodwin/owasp-threat-dragon-desktop/releases/tag/0.1.26 51 | [0127-desk]: https://github.com/mike-goodwin/owasp-threat-dragon-desktop/releases/tag/0.1.27 52 | [100-desk]: https://github.com/mike-goodwin/owasp-threat-dragon-desktop/releases/tag/v1.0 53 | [110]: https://github.com/mike-goodwin/owasp-threat-dragon/releases/tag/v1.1 54 | [110-desk]: https://github.com/mike-goodwin/owasp-threat-dragon-desktop/releases/tag/v1.1 55 | [120]: https://github.com/mike-goodwin/owasp-threat-dragon/releases/tag/v1.2 56 | [120-desk]: https://github.com/mike-goodwin/owasp-threat-dragon-desktop/releases/tag/v1.2 57 | [130]: https://github.com/OWASP/threat-dragon/releases/tag/v1.3 58 | [130-desk]: https://github.com/OWASP/threat-dragon-desktop/releases/tag/v1.3 59 | [131]: https://github.com/OWASP/threat-dragon/releases/tag/v1.3.1 60 | [131-desk]: https://github.com/OWASP/threat-dragon-desktop/releases/tag/v1.3.1 61 | [140]: https://github.com/OWASP/threat-dragon/releases/tag/v1.4.0 62 | [155]: https://github.com/OWASP/threat-dragon/releases/tag/v1.5.5 63 | [158]: https://github.com/OWASP/threat-dragon/releases/tag/v1.5.8 64 | [160]: https://github.com/OWASP/threat-dragon/releases/tag/v1.6.0 65 | [161]: https://github.com/OWASP/threat-dragon/releases/tag/v1.6.1 66 | [200]: https://github.com/OWASP/threat-dragon/releases/tag/v2.0.0 67 | [202]: https://github.com/OWASP/threat-dragon/releases/tag/v2.0.2 68 | [204]: https://github.com/OWASP/threat-dragon/releases/tag/v2.0.4 69 | [206]: https://github.com/OWASP/threat-dragon/releases/tag/v2.0.6 70 | [207]: https://github.com/OWASP/threat-dragon/releases/tag/v2.0.7 71 | [208]: https://github.com/OWASP/threat-dragon/releases/tag/v2.0.8 72 | [209]: https://github.com/OWASP/threat-dragon/releases/tag/v2.0.9 73 | [210]: https://github.com/OWASP/threat-dragon/releases/tag/v2.1.0 74 | [211]: https://github.com/OWASP/threat-dragon/releases/tag/v2.1.1 75 | [212]: https://github.com/OWASP/threat-dragon/releases/tag/v2.1.2 76 | [213]: https://github.com/OWASP/threat-dragon/releases/tag/v2.1.3 77 | [220]: https://github.com/OWASP/threat-dragon/releases/tag/v2.2.0 78 | [230]: https://github.com/OWASP/threat-dragon/releases/tag/v2.3.0 79 | [240]: https://github.com/OWASP/threat-dragon/releases/tag/v2.4.0 80 | [241]: https://github.com/OWASP/threat-dragon/releases/tag/v2.4.1 81 | [ant]: https://www.npmjs.com/package/@antv/g6 82 | [snap]: https://snapcraft.io/threat-dragon 83 | -------------------------------------------------------------------------------- /tab_roadmap.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Roadmap 3 | layout: null 4 | tab: true 5 | order: 3 6 | tags: threatdragon 7 | --- 8 | 9 | ### Version 2.5: in progress 10 | 11 | - [ ] provide an API for CI/CD pipelines 12 | - [ ] provide a CLI for scripting based on TD's existing [use of yargs](https://github.com/yargs/yargs) 13 | 14 | ### Version 2.3: released December 2024 15 | 16 | - [x] automated threats (both by element and by OATS) 17 | 18 | ### Version 2.2: released February 2024 19 | 20 | Threat model access for web app: 21 | 22 | - [x] load models from various repos : 23 | - [x] github enterprise 24 | - [x] gitlab 25 | - [x] github enterprise 26 | - [x] BitBucket 27 | 28 | ### Version 2.1: released October 2023 29 | 30 | Stable version of 2.x.x with bug fixes and usable diagram tools. Still not feature complete: 31 | 32 | - missing CLI for scripting based 33 | - missing automated threats (both by element and by OATS) 34 | 35 | ### Version 2.0: released February 2023 36 | 37 | **migrate to a combined application for both desktop and webapp**: 38 | 39 | - [x] be strictly open source 40 | - [x] use [Vue](https://v3.vuejs.org/guide/introduction.html#what-is-vue-js) for frontend application 41 | - [x] use [@antv/g6](https://www.npmjs.com/package/@antv/g6) for the drawing library 42 | - [x] frontend logging using [bunyan](https://github.com/trentm/node-bunyan) 43 | and optional logging to the console during development 44 | - [x] use [electron](https://www.electronjs.org/) to wrap webapp for desktop 45 | - [X] provide auto-update using [electron](https://www.electronjs.org/) 46 | - [X] expand electron unit tests using 47 | [WDIO Electron Service](https://github.com/webdriverio-community/wdio-electron-service) 48 | - [x] webapp unit test framework [Jest](https://jestjs.io/) 49 | - [x] component test [Vue testing library](https://github.com/testing-library/vue-testing-library) 50 | - [x] end-to-end test [cypress](https://github.com/cypress-io/cypress) 51 | - [x] set up ZAP to provide security testing on commit 52 | - [x] design files are to be backwardly compatible to Threat Dragon json 53 | 54 | **demonstration pages**: 55 | 56 | - [x] an online demonstration to be provided on [threat dragon's site](https://www.threatdragon.com) 57 | - [x] demo should either be a snapshot or a release version 58 | 59 | ### Version 1.4: released May 2021 60 | 61 | - [x] written in javascript ES6 / ECMAScript 2015 or compatible 62 | - [x] run on [node.js](https://nodejs.org/en/) server 63 | - [x] use [express](http://expressjs.com/en/starter/installing.html) for backend application 64 | - [x] provide a dockerfile for running in docker, 65 | similar to [existing TD](https://github.com/OWASP/threat-dragon/blob/main/Dockerfile) 66 | - [x] static code analysis using [ESLint](https://eslint.org) 67 | - [x] webapp test runner [Karma](http://karma-runner.github.io/6.3/intro/installation.html) 68 | with [Jasmine](https://jasmine.github.io) 69 | for [Vue Test Utils](https://vue-test-utils.vuejs.org/installation/#using-other-test-runners) 70 | - [x] backend unit test framework 71 | [MochaJS](https://mochajs.org) and assertions from [chai](https://github.com/chaijs/chai) 72 | - [x] bundle the application and api for production using [webpack](https://webpack.js.org/) 73 | - [x] be strictly open source, avoiding using languages or frameworks maintained outside the open source community 74 | 75 | **documentation**: 76 | 77 | - [x] documentation should be updated at the [threat dragon github pages](https://threatdragon.github.io/) 78 | - [x] version 1.x docs are preserved and migrated to version 2.0 79 | - [x] docs should be static pages based on [Jekyll](https://jekyllrb.com) and markdown 80 | 81 | ### Previous versions 82 | 83 | Mike Goodwin's initial roadmap for the project is 84 | [archived here](https://github.com/OWASP/www-project-threat-dragon/wiki/Original-Roadmap). 85 | The original roadmap had various milestones, most of which were achieved by late 2020. 86 | 87 | **Milestone 4**: Dev lifecycle integration 88 | 89 | - Some CLI interface available mid 2020 90 | 91 | **Milestone 3**: Release 1.0 92 | 93 | - production version released February 2020 94 | - version 1.3.1 released October 2020 95 | 96 | **Milestone 2**: Beta release: Threat/mitigation rule engine 97 | 98 | - achieved May 2017 with version 0.1.26 99 | 100 | **Milestone 1**: Alpha release - Basic threat modelling experience 101 | 102 | - achieved October 2015 103 | 104 | ---- 105 | 106 | Threat Dragon: _making threat modeling less threatening_ 107 | -------------------------------------------------------------------------------- /tab_tmf.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: TMF 3 | layout: null 4 | tab: true 5 | order: 4 6 | tags: threatdragon 7 | --- 8 | 9 | ### Threat Model File (TMF) format 10 | 11 | Threat Dragon version 1.x and Threat Dragon version 2.x use closely related but incompatible JSON file formats. 12 | In addition both these file formats are arranged around diagram elements used by the graph editing engines: 13 | JointJS for version 1.x and AntV/X6 for version2.x. 14 | The data model use in the Threat Dragon file format would be better centred round threat model information 15 | rather than the data used for the graph editing. 16 | 17 | Both Threat Dragon file formats are incompatible with other open source Threat Modeling files 18 | such as pytm, Threagile and Open Threat Model. 19 | 20 | The intention is to change the model file format in Threat Dragon version 3.x onwards. 21 | The goal will be to define a schema that is flexible enough to easily convert from the existing: 22 | 23 | * OWASP Threat Dragon versions 1.x and 2.x 24 | * [OWASP pytm][pytm] pythonic threat modeling 25 | * [Threagile][threagile] open-source toolkit for agile threat modeling 26 | * [Open Threat Model][otm] (OTM) file format 27 | 28 | There is an [open discussion][discussion] for suggestions and debate on this subject. 29 | 30 | [discussion]: https://github.com/OWASP/threat-dragon/discussions/1152 31 | [otm]: https://github.com/iriusrisk/OpenThreatModel 32 | [pytm]: https://owasp.org/www-project-pytm/ 33 | [threagile]: https://threagile.io 34 | --------------------------------------------------------------------------------